Ossec HIDS – Bloqueando o ZmEu bot e outros Web scanners
A Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar... disponíveis na internet e o infeliz do Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar... bot acabam tornando a vida dos nossos servidores Web um inferno.
Geralmente o Apache responde a estas tentativas com sucessivos error 400 ( Bad Request ). Para acabar com essa apurrinhação podemos bloqueá-las usando o Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar....
Exemplo de um log do ZmEu bot
82.145.xx.xx – – [13/Aug/2010:07:19:36 -0300] “GET /phpadmin/scripts/setup.php HTTP/1.1″ 404 192 “-” “ZmEu”
82.145.xx.xx – – [13/Aug/2010:07:19:35 -0300] “GET /typo3/phpmyadmin/scripts/setup.php HTTP/1.1″ 404 198 “-” “ZmEu”
82.145.xx.xx – – [13/Aug/2010:07:19:35 -0300] “GET /mysqladmin/scripts/setup.php HTTP/1.1″ 404 194 “-” “ZmEu”
82.145.xx.xx – – [13/Aug/2010:07:19:34 -0300] “GET /myadmin/scripts/setup.php HTTP/1.1″ 404 192 “-” “ZmEu”
82.145.xx.xx – – [13/Aug/2010:07:19:33 -0300] “GET /dbadmin/scripts/setup.php HTTP/1.1″ 404 191 “-” “ZmEu”
82.145.xx.xx – – [13/Aug/2010:07:19:33 -0300] “GET /admin/phpmyadmin/scripts/setup.php HTTP/1.1″ 404 196 “-” “ZmEu”
82.145.xx.xx – – [13/Aug/2010:07:19:35 -0300] “GET /typo3/phpmyadmin/scripts/setup.php HTTP/1.1″ 404 198 “-” “ZmEu”
82.145.xx.xx – – [13/Aug/2010:07:19:35 -0300] “GET /mysqladmin/scripts/setup.php HTTP/1.1″ 404 194 “-” “ZmEu”
82.145.xx.xx – – [13/Aug/2010:07:19:34 -0300] “GET /myadmin/scripts/setup.php HTTP/1.1″ 404 192 “-” “ZmEu”
82.145.xx.xx – – [13/Aug/2010:07:19:33 -0300] “GET /dbadmin/scripts/setup.php HTTP/1.1″ 404 191 “-” “ZmEu”
82.145.xx.xx – – [13/Aug/2010:07:19:33 -0300] “GET /admin/phpmyadmin/scripts/setup.php HTTP/1.1″ 404 196 “-” “ZmEu”
<!– Active response to block http scanning –>
<active-response>
<command>route-null</command>
<location>local</location>
<!– Multiple web server 400 error codes from same source IP –>
<rules_id>31151</rules_id>
<timeout>600</timeout>
</active-response>
<active-response>
<command>route-null</command>
<location>local</location>
<!– Multiple web server 400 error codes from same source IP –>
<rules_id>31151</rules_id>
<timeout>600</timeout>
</active-response>
Fonte: ITSC Blog
Comment